[Dailydave] Equitablefax

[Kristian Erik Hermansen]

If Equifax had a public bug bounty program, someone would have reported the
Java RCE in March 2017 and picked up $10K or more for it. But no, Equifax
did not have a public bug bounty program. Say what you will about the pros
and cons of a bug bounty program, especially for financial institutions
which "know better than the public how to protect themselves", but at least
in this case a known issue would have been well documented much earlier. We
should encourage other credit and financial companies to consider public or
at the very least private bug bounty programs. It's a mess to operate them,
but not patching a known critical web flaw ASAP that allows RCE is
precisely the legal definition of negligence. Equifax should pay dearly for
it.

Perhaps it's time to consider federal Cyber Security Insurance laws for
such companies which forces them to pay fees to operate on the Internet
just like everyone that drives a car on the road? If you crash your car
every time you get on the highway, or you damaged 140 million cars while
driving, you would lose your license for some time. Why hasn't Equifax lost
their license to operate on the internet for some time? How about a 2 year
hiatus on their annual revenue to punish them? Just a thought. Maybe Halvar
can chime in on why Cyber Security Insurance regulation like that is OR is
not the answer. He has been working on that lately...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20170927/194c4781/attachment-0001.html>